Reap the Benefits of Office 365 and Stay PCI Compliant

Cloud technologies offer organizations a host of competitive advantages, such as improved collaboration and operational flexibility. However, companies see certain gaps in terms of cloud data security. Netwrix’s global 2015 Cloud Security Survey found that 65% of companies are concerned about cloud security and 40% are concerned about the loss of physical control over data in the cloud.

Consider Microsoft Office 365 and credit card security. Although Office 365 offers a wide range of service-level security capabilities, such as network protection from physical intervention or malware infections, these features don’t provide sufficient visibility into activities and security controls to enable organizations to prove their compliance with the PCI DSS standard. In fact, Microsoft officially states that it does not take responsibility for making your Office 365 PCI compliant; the PCI DSS Level 1 compliance Microsoft claims applies only to its own ordering, billing and payment systems. For its users, the company warns, “Office 365 services are not suitable for processing, transmitting, or storing PCI-governed data” and “customers should not use the Office 365 service to transmit or store [cardholder] data for their own use.”

More broadly, the Gartner report Clouds Are Secure: Are You Using Them Securely? predicts that, through 2020, almost 95% of cloud security failures will be the customer’s fault. In other words, organizations that don’t have a proper strategy for cloud computing can easily fail to ensure data security, increasing their risk of compliance incidents and data loss.

If you deal with sensitive data, you might be thinking that cloud technologies are simply off limits. However, with a strong security strategy at hand, it’s possible to minimize potential threats. In particular, despite the security limitations of Office 365, you don’t have to give up on using the service, even if you need to be PCI compliant. One of the key steps for passing PCI DSS audits is to make sure that Office 365 is out of the scope of your cardholder data environment (CDE).

Here’s what you need to do to reap the benefits of Office 365 while also ensuring data security:

1. Choose your data storage location wisely. Data security depends heavily on knowing where your data resides and how it is used. Although Microsoft has begun to disclose information about the country where data is stored and when it is transferred in Office 365, it still states:

The requirements of providing the services may mean that some data is moved to or accessed by Microsoft personnel or subcontractors outside the primary storage region.

For instance, to address latency, routing data may need to be copied to different datacenters in different regions. In addition, personnel who have the most technical expertise to troubleshoot specific service issues may be located in locations other than the primary location, and they may require access to systems or data for purposed [sic] of resolving an issue.

This statement means that there’s no 100% guarantee that the data remains at certain location all the time, which can be an issue for passing PCI DSS audits, since you might be asked to show exactly how your data is used.

Given this, the optimal way to reap the benefits of cloud technologies while meeting security requirements can be to adopt a hybrid cloud strategy: by storing and using cardholder data internally rather than in the cloud, you can maintain proper control over who attempts to access it.

2. Know where your sensitive data is. Secure transmission of cardholder data is another requirement of the PCI DSS standard. You need to ensure that files and emails don’t contain cardholder data. Although Office 365 offers a set of data loss prevention tools, those tools might not be sufficient for preventing cardholder data from being occasionally processed or transferred outside the PCI-controlled environment. To ensure proper control over your email system and file storage, adopt additional solutions that can detect sensitive data in the content of emails, attachments and other files.

3. Enable visibility into sensitive data. PCI DSS Requirement 10 says that logging is required for every access event. Since cloud solutions increase the risk that your data may be accessed without your notice, you can never prove to auditors that you know about every attempt to access your sensitive data. Therefore, again, storing cardholder data on premises might be a preferable option, because you have more flexibility in terms of security solutions. For instance, a few on-premises solutions provide user behavior analytics (UBA) that can analyze who did what, when and where across your IT infrastructure, and detect anomalies before a breach occurs. This technology will provide you with complete visibility across the entire IT infrastructure for PCI compliance, and notify you of any malicious changes that might cause a data leak.

If you are eager to take advantage of the many benefits of Office 365 or other cloud technologies, don’t let security and compliance concerns stand in your way. Rather, keep exploring your options and workarounds, as there are plenty of solutions that will help you strengthen security, streamline compliance and optimize your expenses.

Leave a Reply

Alex Vovk is an accomplished expert in information security and CEO and co-founder of Netwrix, the first company to introduce a visibility and governance platform that supports both on-premises and hybrid cloud IT environments.